Mumbai-based Shipiary, a software company that provides shipping logistics for consumer goods, has exposed the personal information of thousands of its customers as a result of a months-long internal shipment leak.
Exposed information obtained by a security researcher Ashutosh Barot.Includes Shipyaari customers’ names, addresses, phone numbers, order invoice amounts, and delivery status. According to Barot, Shipiary’s customer tracking page was not password protected and could be viewed by anyone with a web address.
“The exposed information can later be used to carry out targeted social engineering attacks and money laundering,” Barot told TechCrunch.
The researcher first contacted Shipyaari about the vulnerability in October 2021, and the company promised to fix it in December. Some changes have been made, but they haven’t fixed the exposure. It was fixed at the end of July after TechCrunch reached out about the security situation.
“I appreciate Shipyaari for fixing the issue and implementing recommendations,” Barot said.
Shipyaari remedied the vulnerability by removing customers’ personally identifiable information (PII) from the tracking page and restricting the use of the one-time PIN (OTP) system. It later updated the system to prevent bad actors from launching automated attacks.
“Data privacy is extremely important to us, and we will ensure that such incidents do not occur in the future,” said Vishal Thotla, founder of Shipyari.
According to Totla, customer PII data will not be displayed on the page when the data is loaded.
Shipyaari claims to handle more than 5,000 shipments per day. The company has more than 6,000 active dealers across the country.
Barot underlined that India needs strong data privacy laws to limit the ever-increasing data exposure and release scenarios.
Earlier this month, the government of India unveiled the long-awaited Personal Data Protection Act to bring in stricter laws to protect citizens’ privacy. The law has shocked tech giants and raised concerns about how they manage sensitive user data.